Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor hash-to-curve around digest::XofReader trait #643

Open
wants to merge 47 commits into
base: master
Choose a base branch
from

Conversation

burdges
Copy link
Contributor

@burdges burdges commented Apr 25, 2023

Description

Addresses several concerns:

Hash-to-field and hash-to-curve are logically consumers of XoFs. The hash-to-curve spec is written this way. Also, ristretto exploits this, likely so do other elligator deployments, including some ed25519 protocols. It follows polymorphic implementations should expose hashing directly from XoFs, but still push users towards compliant domain separation. In fact, arkworks' hash-to-curve cannot currently use shake cipher suites, or other XoFs, only sha2 ones, which excludes some elligator curves, and all curves with security levels above 128 bits.

At the same time, the hash-to-curve spec creates messy dependencies across its internal XoF boundary. In particular, a security parameter plays several roles but depends upon the curve, or even the specific hash-to-curve. We hide this annoying security parameter in the MapToCurve trait. It's plausible but uncertain if digest::core_api::BlockSizeUser might permit computing this security parameter from the hash selected.

Arkworks' Field as UniformRand cannot be made constant-time, so this exposes hashing-to-fields directly. At present, this hashing-to-fields is not constant-time because arkworks' field arithmetic is not constant-time, but at least one could deploy a protocol built with hash-to-field and later do constant-time field code.

We do not expose hash-to-field in exactly the style of the hash-to-curve spec. A hash-to-curve for bls12-381 has 128 bits of security, but one could build a curve with higher security with the same base field or whose group order matched the base field, and then require shake256.

Arkworks needs considerable other boilerplate for hash-to-curve. We make a true default-per-curve hash-to-curve possible.

We preserve roughly the old MapToCurve interface, which already looked suitable for some snark friendly hash-to-curve schemes, although perhaps not within its security assumptions. It's likely the new XoF interface supports some other snark friendly hash-to-curve schemes.

XofVec is an ugly hack, but frankly so is this whole sha2 XoF. This PR removes a lot of needless allocations elsewhere though.

We should discuss this new interface further of course, so no curves PR for now, but doing one looks pretty trivial.

supersedes: #627

closes: #629 & #630


Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

  • Targeted PR against correct branch (master)
  • Linked to GitHub issue with discussion and accepted design OR have an explanation in the PR that describes this work.
  • Wrote unit tests
  • Updated relevant documentation in the code
  • Added a relevant changelog entry to the Pending section in CHANGELOG.md
  • Re-reviewed Files changed in the GitHub PR explorer

@burdges
Copy link
Contributor Author

burdges commented May 9, 2023

Do you guys want this PR to be from a non-organizational repo so that you can change it?

I could move somewhere else or @mmagician could move it to be internal or something else?

¨Jeff and others added 19 commits June 11, 2023 17:11
MapToCurve::new seemingly originates from a more runtime oriented
elliptic curve crate:
https://github.com/armfazh/redox-ecc/blob/master/src/ellipticcurve.rs#L36

Arguably test_parameters should be inherent methods, invoked by whoever
defined the parameters, but maybe not?  I left the trait method for now.
Co-authored-by: Pratyush Mishra <pratyushmishra@berkeley.edu>
Co-authored-by: Pratyush Mishra <pratyushmishra@berkeley.edu>
Co-authored-by: Pratyush Mishra <pratyushmishra@berkeley.edu>
Co-authored-by: Pratyush Mishra <pratyushmishra@berkeley.edu>
rustfmt is wrong that f()? should be preferred over f() ?, as errors paths should often be highlighted, but nobody merged that fix yet, so whatever. 
rust-lang/rustfmt#5595
@mmagician
Copy link
Member

@burdges any progress on splitting up the hashing PRs as we discussed offline, for reviews to be more "digestible"?

@burdges
Copy link
Contributor Author

burdges commented Aug 24, 2023

I've been too distracted lately but I'll try to get to it next week. It's really not that hard.

@burdges
Copy link
Contributor Author

burdges commented Sep 5, 2023

Odd, why does 15fc1a5 not appear above now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Remove SWUMap and WBMap, fix MapToCurve semantics
2 participants